IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria
- 1. Security Analysis aNd Evaluation Lab.
ICCC 2019
2019. 10. 02
IoT Device Hacking and New Direction of IoT
Security Evaluation Using Common Criteria
Ki Taek Lee* Kwangwoo Lee** Seungjoo Kim***
zizihacker@korea.ac.kr* kwangwoo.lee@hp.com** skim71@korea.ac.kr***
*1st
Author
CIST (Center for Information
Security Technologies),
Korea University
**2nd
Author
HP Inc.
***Corresponding Author
CIST (Center for Information
Security Technologies),
Korea University
- 3. 3 / 40
Introduction
§ IoT market
§ In 2018, the global IoT market reached about 164 billion U.S. dollars.
§ In 2025, IoT market will reach over 1.5 trillion U.S. dollars.
Source: Size of the Internet of Things (IoT) market worldwide from 2017 to 2025 (in billion U.S. dollars),
https://www.statista.com/statistics/976313/global-iot-market-size/
- 4. 4 / 40
Introduction
§ Reference model of Internet of Things
§ ITU-T Y. 4000
Source: Fernmeldeunion, Internationale. "ITU-T Y. 4000/Y. 2060 (06/2012)."
- 5. 5 / 40
Introduction
§ Three high-level considerations for Internet of Things
1. Device Interactions with the Physical World.
Many IoT devices interact with the physical world in ways conventional IT devices
usually do not.
2. Device Access, Management, and Monitoring Features.
Many IoT devices cannot be accessed, managed, or monitored in the same ways
conventional IT devices can.
3. Cybersecurity and Privacy Capability Availability, Efficiency, and
Effectiveness.
The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities
are often different for IoT devices than conventional IT devices.
Source: NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
- 6. 6 / 40
Introduction
§ IoT hacking and botnet
§ security cameras represent 47 percent of vulnerable devices installed on home
networks
§ IoT botnet in large-scale network attacks
§ Mirai(2016), Satori(2017)
Okiru, Masuta, PureMasuta, OMG, Wicked, Sora, Owari, Omni, Miori(2018)
Hakai, Yowai, SpeakUp (2019)
Source: ZDNET, https://www.zdnet.com/article/cybersecurity-these-are-the-
internet-of-things-devices-that-are-most-targeted-by-hackers/
- 7. 7 / 40
Introduction
§ High-level risk mitigation
Three high-level risk mitigation goals:
1. Protect device security
2. Protect data security
3. Protect individuals’ privacy
Source: NIST IR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
- 8. 8 / 40
⓪ Firmware acquisition and analysis
① Firmware provisioning
② Serial communication
③ Desoldering
④ Side channel attack
⑤ Remote Code Execution
⑥ Packet Relay
⑦ Developer mode or Backdoor
Real attack against IoT devices
- 9. 9 / 40
Real attack against IoT devices
⑤ Remote Code Execution
⑦ Developer mode or Backdoor
① Firmware provisioning
② Serial communication
⑥ Packet Relay
③ Desoldering
④ Side channel attack
- 10. 10 / 40
⓪ Find a firmware
§ Provides firmware publicly
§ depends on vendors
Real attack against IoT devices
- 11. 11 / 40
① Firmware provisioning
Real attack against IoT devices
Update Server
IoT Hub
Getting firmware link when firmware updating
SSL Strip
- 12. 12 / 40
② Serial communication
§ Used for debugging embedded systems
Real attack against IoT devices
Trying to JTAG
connection
UART
Connection
Find UART pin
- 13. 13 / 40
③ Desoldering
§ Removal of solder and components from a PCB using Heat gun
§ Very hazardous, it needs very skillful technique
Real attack against IoT devices
Heat gun
- 14. 14 / 40
③ Desoldering
Real attack against IoT devices
Mount the extracted eMMC Work normally
- 15. 15 / 40
④ Side channel attack
Real attack against IoT devices
U-Boot
CFE
Other
Redboot
RouterBOOT
BOOTLOADER
Most IoT devices use U-Boot
Source: https://wikidevi.com/wiki/Property:Stock_bootloader/full
- 16. 16 / 40
④ Side channel attack
Real attack against IoT devices
Memory
Loading stored
kernel images
Kernel Memory Load,
file system mount
Embedded Boot Process
Boot loader
Flash memory
Initialize
peripheral device
U-Boot boot loader
Initialization task
main_loop()
cli_loop
main_loop()
OS Boot
If fail
run_preboot
bootdelay
cli_loop
autoboot_
command
Return to
Custom Shell
- 17. 17 / 40
④ Side channel attack
Real attack against IoT devices
Memory map is overwritten
when autoboot_command is executed
U-Boot Start OS Boot
Main_loop DOES NOT HANDLE the return
value
- 18. 18 / 40
④ Side channel attack
Real attack against IoT devices
Make an error through glitching Got the shell, CVE-2018-19916
- 19. 19 / 40
⑤ Remote Code Execution
§ Remote Code Execution at Cookie parameter
Real attack against IoT devices
Service
Analysis
Process Caught !
Found to Login pages
SessionSecurityHandler Function
GetCookieValue Function
- 20. 20 / 40
⑤ Remote Code Execution
§ Remote Code Execution at Cookie parameter
Real attack against IoT devices
Used the proxy tool to poison cookie values Crashed by memory overflow
- 21. 21 / 40
⑤ Remote Code Execution
§ Remote Code Execution at Cookie parameter
Real attack against IoT devices
Got reverse shell
Exploit !
Wrote exploit code
- 22. 22 / 40
⑥ Packet Relay
§ Malformed packet relay attack
Real attack against IoT devices
output log generated during communication Data packet Structure
- 23. 23 / 40
⑥ Packet Relay
§ Malformed packet relay attack
Real attack against IoT devices
Found command value of Packet Structure in ida
Supported binary commands
- 24. 24 / 40
⑥ Packet Relay
§ Malformed packet relay attack
Real attack against IoT devices
MITM send packet MITM recv packet
- 25. 25 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Checked 8443 service
Accessed denied Accessed to login interface successfully
Web service code analysised
Service
Analysis
- 26. 26 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Analyzed source code to got account
Restricted the number of login attempts
98:93:CC:A2:XX:XX @ AH66AJ01000000XXX Found service to changed MAC address and Serial key
Port information about special service
Serial : AH66AJ01000000XXXMAC : 98:93:CC:A2:XX:XX
- 27. 27 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Access
Connected to service
Changed the password through MESD daemon
Ethernet Mac Ethernet Mac WiFi Mac Check
- 28. 28 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Function
analysis
Accessed to admin page successfully Found plug-in management service
- 29. 29 / 40
⑦ Developer mode or backdoor
Real attack against IoT devices
Uploaded a reverse shell
Got the shell !
Exploit
- 30. 30 / 40
New Direction of IoT Security Evaluation
§ Efforts on the security requirements
§ Secure Boot from Microsoft*
Secure boot is a security standard developed by members of the PC industry to help make
sure that a device boots using only software that is trusted by the Original Equipment
Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of
boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications,
and the operating system. If the signatures are valid, the PC boots, and the firmware gives
control to the operating system.
§ Root of Trust from Trusted Computing Group (TCG)**
A component that performs one or more security-specific functions, such as measurement,
storage, reporting, verification, and/or update. It is trusted always to behave in the expected
manner, because its misbehavior cannot be detected under normal operation.
§ Root of Trust from Global Platform***
A computing engine, code, and possibly data, all co-located on the same platform; provides
security services. No ancestor entity is able to provide a trustable attestation (in Digest or
other form) for the initial code and data state of the Root of Trust.
* https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
** https://trustedcomputinggroup.org/wp-content/uploads/17.pdf
*** https://globalplatform.org/wp-content/uploads/2018/07/GP_RoT_Definitions_and_Requirements_v1.1_PublicRelease-2018-06-28.pdf
- 31. 31 / 40
New Direction of IoT Security Evaluation
§ NIST Special Publication 800-193
§ Platform Firmware Resiliency Guidelines
§ Provides technical guidance for resiliency of
platforms to protect against destructive
attacks
§ Promotes resiliency in the platform by
describing security mechanisms for:
§ Protecting the platform against
unauthorized changes
§ Detecting unauthorized changes that
occur
§ Recovery from attacks
- 32. 32 / 40
New Direction of IoT Security Evaluation
§ NIST Special Publication 800-193
§ Key concept
§ Roots of Trust (Section 4.1)
§ Protection (Section 4.2)
§ Detection (Section 4.3)
§ Recovery (Section 4.4)
Source: NIST Special Publication 800-193, Platform Firmware Resiliency Guidelines, https://doi.org/10.6028/NIST.SP.800-193
- 33. 33 / 40
New Direction of IoT Security Evaluation
§ ISO/IEC 15408 CD3 (FPT_INI.1 TSF Initialization)
§ This component requires the TOE to provide a TSF initialization function that brings the
TSF into a secure operational state at power-on.
§ FPT_INI.1.1 The TOE shall provide an initialization function which is self-protected for
integrity and authenticity.
§ FPT_INI.1.2 The TOE initialization function shall ensure that certain properties hold on
certain elements immediately before establishing the TSF in a secure initial state, as
specified below:
§ Properties à [assignment: property, for instance authenticity, integrity, correct version]
§ Elements à [assignment: list of TSF/user firmware, software or data]
§ FPT_INI.1.3 The TOE initialization function shall detect and respond to errors and failures
during initialization such that the TOE [selection: is halted, successfully completes
initialization with [selection: reduced functionality, signaling error state, [assignment: list of
actions]].
§ FPT_INI.1.4 The TOE initialization function shall only interact with the TSF in
[assignment: defined methods] during initialization.
Source: ISO/IEC JTC 1 SC 27 WG 3 15408-2 Committee Draft 3. July 2019
- 34. 34 / 40
New Direction of IoT Security Evaluation
§ Other approaches and guidance
§ UK Government, DCMS (Digital, Culture, Media and Sport)
§ Code of Practice for Consumer IoT Security
§ Hardcopy Devices TC
§ HCD cPP
§ Network Device iTC
§ NDcPP
§ DSC iTC
§ DSC cPP
Source https://medium.com/rtone-iot-security/the-uk-code-of-practice-for-consumer-iot-security-783e3473f726
- 35. 35 / 40
New Direction of IoT Security Evaluation
* collaborative Protection Profile for Dedicated Security Component, Version 1.0d, Sept. 9, 2019
** ISO/IEC JTC 1 SC 27 WG 3 15408-2 Committee Draft 3. July 2019
Vulnerability Threat/Assumption* Security Requirement of New Direction*
① Firmware provisioning T.SDE_TRANSIT_COMPROMISE FTP_ITE_EXT.1 Encrypted Data Communications
② Serial communication T.HW_ATTACK
T.UNAUTHORIZED_ACCESS
FPT_PHP.3 Resistance to Physical Attack
FPT_MOD_EXT.1 Debug Modes
③ Desoldering T.HW_ATTACK
T.UNAUTHORIZED_ACCESS
FPT_PHP.3 Resistance to Physical Attack
④ Side channel attack T.HW_ATTACK
T.UNAUTHORIZED_ACCESS
T.SDE_TRANSIT_COMPROMISE
T.WEAK_OWNERSHIP_BINDING
T.WEAK_ELEMENT_BINDING
A.ROT_INTEGRITY
FPT_PHP.3 Resistance to Physical Attack
FPT_PRO_EXT.1 Root of Trust
FPT_ROT_EXT.1 Root of Trust Services
FPT_TST.1 Integrity Checking
FDP_MFW_EXT.1 Mutable/Immutable Firmware
FDP_DAU.1 Prove Data Authentication for Use with The Prove Service
FDP_MFW_EXT.2 Basic Firmware Integrity
FDP_MFW_EXT.3 Firmware Authentication with Identity of Guarantor
FPT_INI.1 TSF Initialization
⑤ Remote Code Execution T.UNAUTHORIZED_ACCESS ATE_IND.1 Independent Testing
AVA_VAN.1 Vulnerability Survey
⑥ Packet Relay T.UNAUTHORIZED_ACCESS
T.SDE_TRANSIT_COMPROMISE
T.WEAK_OWNERSHIP_BINDING
T.WEAK_ELEMENT_BINDING
FPT_RPL_EXT.1 Replay Prevention
⑦ Developer mode or
Backdoor
T.UNAUTHORIZED_ACCESS
T.HW_ATTACK
FPT_MOD_EXT.1 Debug Modes
- 36. 36 / 40
Conclusion
§ Lack of Security Requirement and Testing in IoT products.
§ We demonstrated real attacks against IoT devices that do not
provide enough capabilities such as Secure Boot and Root of
Trust.
§ iTC, TC, and WG who want to create new protection profile need
to consider this in their evaluation and testing.
§ Also, IoT manufacturers …
- 37. 37 / 40
Thank you
This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded
by the Korea government(MSIT) (No.2018-0-00532,Development of High-Assurance(≥EAL6) Secure Microkernel)
Special thanks to Jisub Kim, Hongryeol Lim and Pwnhub team.